Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL/TLS Inspection is blocking Veeam Backup Agent

Hi,

until last week i've used only the web proxy funcionality.
Now i've configured the SSL/TLS Inspection and have a strange behavior.

The Veeam Backup and Replication Server (Backup03 - in Backup-LAN) can backup the ESX-Server in LAN.
But the Veeam Agent on a Windows 10 PC (in LAN too) cant be backed up.

These are the responsible Firewall Rules (as you can see...no web scanning active)

For  testing i've created a extra Inspection Rule to NOT decrypt internal connections

But as long as i've activated the SSl/TLS Inspection Module the Backup is failing

When i disable the SSL/TLS Module everything works like a charm.

Sometimes (not every time) i get a log entry with "InvalidURL"

I think the SSL/TLS Inspection Module is scanning EVERY traffic unless if its configured in the firewall rule or not. Is that correct?

My Plan is to inspect the Internal -> WAN Traffic only but NOT the internal traffic between subnets/vlans.

I've found a similar thread here from about 2 Yr. ago (https://community.sophos.com/sophos-xg-firewall/f/discussions/118733/xg-v18-ssl-tls-inspection-interfering-with-veeam-cloud-provider-replication/431230#431230).

Do someone have a clue where to configure this?

Best regards.

Gotschek



This thread was automatically locked due to age.
Parents Reply
  • Thank you.

    That look good (the first tests where successful)

    But to clearify: <Number> means the ID of the Firewall Rule (not the Ordner Number at the line-beginning)

    In my case: 

    console> set ips ac_atp exception fwrules 35,36

    I will test it the next days.

Children
  • Yes - That is the FW ID of the internal System. The other one is the human readable number. 

    There is a Bug ID to address this. Bug ID: NC-82042

    There should be a fix available for V19.0 GA. But in the meantime, you can use the workaround. 

    __________________________________________________________________________________________________________________